0x90.org

[XSO] CFString in a binary

nummish nummish at 0x90.org
Tue Apr 1 14:23:03 EDT 2008 

On Tue, Apr 1, 2008 at 12:26 PM, Gammah Radiation <gammah at gmail.com> wrote:
> On Sun, Mar 30, 2008 at 11:32 PM, nummish <nummish at 0x90.org> wrote:
>  > The section is in the format:
>  >
>  >  C8 07 00 00 XX XX XX XX YY YY YY YY
>
>  I haven't looked much further than this, but from CFString.h I am
>  guessing it's related to the string encoding? This starts at line 119
>
>
>  enum {
>     kCFStringEncodingMacRoman = 0,
>     kCFStringEncodingWindowsLatin1 = 0x0500, /* ANSI codepage 1252 */
>     kCFStringEncodingISOLatin1 = 0x0201, /* ISO 8859-1 */
>     kCFStringEncodingNextStepLatin = 0x0B01, /* NextStep encoding*/
>     kCFStringEncodingASCII = 0x0600, /* 0..127 (in creating CFString,
>  values greater than 0x7F are treated as corresponding Unicode value)
>  */
>     kCFStringEncodingUnicode = 0x0100, /* kTextEncodingUnicodeDefault
>  + kTextEncodingDefaultFormat (aka kUnicode16BitFormat) */
>     kCFStringEncodingUTF8 = 0x08000100, /* kTextEncodingUnicodeDefault
>  + kUnicodeUTF8Format */
>     kCFStringEncodingNonLossyASCII = 0x0BFF /* 7bit Unicode variants
>  used by Cocoa & Java */
>  #if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_4
>     ,
>     kCFStringEncodingUTF16 = 0x0100, /* kTextEncodingUnicodeDefault +
>  kUnicodeUTF16Format (alias of kCFStringEncodingUnicode) */
>     kCFStringEncodingUTF16BE = 0x10000100, /*
>  kTextEncodingUnicodeDefault + kUnicodeUTF16BEFormat */
>     kCFStringEncodingUTF16LE = 0x14000100, /*
>  kTextEncodingUnicodeDefault + kUnicodeUTF16LEFormat */
>
>     kCFStringEncodingUTF32 = 0x0c000100, /*
>  kTextEncodingUnicodeDefault + kUnicodeUTF32Format */
>     kCFStringEncodingUTF32BE = 0x18000100, /*
>  kTextEncodingUnicodeDefault + kUnicodeUTF32BEFormat */
>     kCFStringEncodingUTF32LE = 0x1c000100 /*
>  kTextEncodingUnicodeDefault + kUnicodeUTF32LEFormat */
>  #endif /* MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_4 */
>  };
>  typedef CFStringEncoding CFStringBuiltInEncodings;
>
>
>  My guess would be those strings are UTF32 encoded perhaps? I just
>  reread your post and realize you have already read the above code
>  (likely), so that might not be a helpful response.

Yeah, that's what I was thinking, but the 0x7c8 is throwing me through
a loop. I'm only using IDA 5.1 here, and in the release notes it's
mentioned there is better cfstring handling in 5.2. Does anyone have
IDA 5.2 and are willing to disasm Mail.app and see how it labels the
first part of the strings in the __cfstring section?

More information about the XSO mailing list